On Friday 03 September 2004 20:35, David Fraser wrote:
> This is security by obscurity. I would think making sure the values
> passed into a function are safe is more important. The danger of
> security by obscurity is it misleads you into not doing this kind of
> checking...
> I *love* being able to pass GET variables into functions in other
> peoples programs ... it means web programs are easier to interact with.
> Just this week I wrote a script to search for flights on top of an
> airline's website ... it saved me a lot of time
Actually, there is a security aspect to removing the ability to use query
string parameters in place of POST variables. An attacker who can induce
somebody to visit a page they created can cause the user to automatically
call these functions by simply using something like:
<img src="http://www.example.com/script?deletesomething=true">
As it will be the user who is executing this function, the only clue you have
to "making sure the values passed into a function are safe" is that it was
submitted via query string parameters and not POST variables.
If you don't use the query string parameters when you are expecting POST
variables, then your users are not susceptible to this form of attack.
--
Jim Dabell